Cyber era brings new kinds of supply-chain threats

By Amber Corrin

Sep 27, 2012

Problems in the Defense Department’s supply chain aren’t a new issue. The military has always been at risk from enemies and had a need for tight security. A GAO sting operation earlier this year highlighted some vulnerabilities, for example.

But the prevalence of digital systems brings a newer kind of threat: one that can be tiny in size but huge in potential impact. It is the risk of electronic components that have been altered to digitally infiltrate U.S. defense systems.

"We’re now worried [about] the integrity of the products coming into our global supply chain that might compromise businesses confidentiality or the overall availability of essential services,” said Melissa Hathaway, former White House cybersecurity adviser and now president of Hathaway Global Solutions. Hathaway spoke as part of a panel at the Potomac Institute in Washington on Sept. 26.

The globalization of the market and the supply chain opens the door to more potential adversaries gaining access to parts, the panelists indicated.

“Products are being built, delivered, maintained and upgraded all around the world, and they are vulnerable to opponents who wish harm,” Hathaway said. She added that the global nature of today’s manufacturing cycle “provides adversaries, or these opponents, with greater opportunities to manipulate the product from design through its entire life cycle,” including the possibility of gaining access to DOD networks.

Brett Lambert, deputy assistant secretary of defense for manufacturing and industrial base policy, admitted that Pentagon officials have seen cases of chips with “built-in back doors” that could allow system access for espionage or data theft.

"The vast majority of this is really criminal behavior,” Lambert said, noting that the problem is exacerbated by the government’s increased of commercial products, which can be more difficult to track and regulate than custom-built goods.

The digital aspect of the supply chain worries represent a step further than more traditional concerns of just physical risks, as were the subject of the GAO’s operation and resultant study. In those cases the concern was more often about parts that were counterfeit and could possibly fail or not function at all – equally dangerous, but with a different intent.

“It started out in the way of theft…[but now] our real concern and fear is that it could evolve past that, to destruction,” said Dennis Bartko, special assistant for cyber to the National Security Agency director.

So what can be done about the problem?

Bartko said he was encouraged by the growing federal use of cloud, which allows for data to be stored in different servers, dispersing the elements that enemies want to target. Cloud’s institution also allows for built-in security from the start, allowing for better protection, he added.

Another solution discussed at the panel was the idea of incentives, such as tax credits to companies that invest in good, more secure processes and practices to create better products in the future, as Hathaway noted.

Other possible solutions include the growing use of a trusted supplier list, and the potential for DOD to buy electronic parts from “trusted foundries” – highly secure manufacturers based in the U.S.

According to Lambert, the trusted foundries may be the answer for a narrow swath of very high-priority programs, but it’s expensive, puts limitations on global innovation and won’t work for most weapons systems. He also stressed that further regulations wouldn’t be a viable option, either.

“We’re really looking at incentives, not disincentives,” Lambert said. “The old standby remedy to most supply chain concerns of ‘mandate it’ won’t work in the new global reality. Strict regulations and restrictions, when you talk about technology, never really work over a long period…we find ourselves coming up with great standards but alienating the very technological edge we’re seeking.”

The Census Bureau hasn't established a time frame for its cloud computing plans, including testing for scalability, security, and privacy protection, as well as determining a budget for cloud services.